OpenVAS + Kali + Raspberry Pi = Vulnerability Scanner
A recent project needed a vulnerability scanner that could be deployed to a variety of clients and their networks to do a vulnerability scan. This would act as one component of a larger activity to ensure a secure system for credit card handling.
The goal was to look at the network like an attacker would. Find open services and detect if they had known vulnerabilities. There are a variety of open source and commercial products for doing vulnerability scans but I decided to focus efforts on OpenVAS a well recognized helpful tool for adminstrators needing to identify potential security issues on their networks.
As part of the effort I wanted to evaluate the use of this tool on a Raspberry Pi. Turns out it can work for single host scanning but has some limitations for larger network scans.
The Install OpenVAS for Broad Vulnerabilty Assessment guide by Barrow on Null-Byte Wonder How To is still relevant as of May 2018 for the RPI Kali 2018.02 as put out by the Offensive Security team.
Installing Kali & OpenVAS
There were a few false starts as I learned a few gotchas of both the Kali linux and OpenVAS. My basic checklist I ran through to get a happy OpenVAS on my RPi using a 16GB SD card:
- download Kali Linux for RPI
- https://www.offensive-security.com/kali-linux-arm-images/
- validate the download:
- https://docs.kali.org/introduction/download-official-kali-linux-images#sha256sums
- burn to a SD card
- boot the system
- change the password (root, toor)
- update the system:
apt update && apt upgrade --yes && apt dist-upgrade --yes
- change the sshd keys
rm /etc/ssh/ssh_host_*dpkg-reconfigure openssh-serverservice ssh restart
- resize the root filesystem (8GB default size not enough for OpenVAS)
fdisk /dev/mmcblk0- delete part 2, recreate - use same start point (pay attention) & max size
resize2fs /dev/mmcblk0p2
- reboot system
- grab htop (for watching system metrics) & lsof (for opevas)
apt install htop lsof
- install openvas
apt-get install -y openvas openvas-setup # wait a long time # capture the admin password generated openvas-start # should auto launch your web browser # if not go to https://127.0.0.1:9392/ # and login using admin/(password)
Doing an OpenVAS scan
Once web GUI is up you can create a new scan job using the Task Wizard found via:
Scans -> Tasks -> Purple Wand Icon -> Task Wizard
Use the wizard to create a scan for your target system using it’s IP or DNS name. Doing a single system scan worked well for me, it took a long while to get through all 60,000 Network Vulnerability Tests, but did complete and allow me to review the report.
I did this process using the RPi with Kali as a desktop workstation. It became quickly apparent that the RPi struggles to provide the OpenVAS administrator website (Greenbone Security Assistant). Patience is required after a click while you wait for the action to be processed and the page rendered.
The full scan of a single system took about two hours. Not great but not too shabby if you have a focused target to check.
Full network scan & limitations
After validating a single IP scan worked well wanted a full home network scan. The task wizard can take a CIDR address for a target: 192.168.16.0/24.
My home network has about 25 devices on it and the initial scan task died before it got even to 2%. I tried a few different runs trying to debug what was going on before I realized the Pi was just running out of resources and killing random processes (the scanner, the website, firefox tabs, terminals).
This is because the default for a new scan is to scan 30 hosts concurrently with up to 10 Network Vulnerability Tests (NVT) per host. This 30/10 combo clearly was way out of line for the amount of RAM a RPi brings to the table.
I then switched to 1 host 5 NVTs (1/5) and unleashed that for a day. That plugged along and got to about 30% completion after 24 hours. During time I monitoring the resources (htop) and noticed there was still spare CPU cycles and RAM available.
Switched to 3 hosts 7 NVTs (3/7) and saw it get to about 50% in 24 hours - there appeared to be times when there was still spare RAM and CPUs.
One more twiddle to three hosts and 10 NVTs (3/10) and I saw crashing behavior again.
At this point I realized the RPi vulnerability scanning (based on OpenVAS) is both viable but not recommended for those hoping to do a quick deploy, full network scan, and demobilization. It just takes too long to do full network scan.
TL;DR
- OpenVAS run on an Raspberry Pi with caveat that the management website is a bit sluggish.
- Default OpenVAS settings for a scan task can’t be done on a RPi as it will run out of resources and start crashing/killing processes. Dial task settings down from (30/10) to something like 3 current hosts with 5 concurrent NVTs (3/5) with understanding that it could take multiple days to complete a full network scan.
- RPi + OpenVAS could be a viable tool for a long-term deploy situation where you want weekly vulnerability tests and it is OK for it to take a while to do the scan: update feed, launch scan, and by end of the week it is done and you’ve got a new vulnerability report.